vite-plugin-csp icon indicating copy to clipboard operation
vite-plugin-csp copied to clipboard

Published 20 hours ago verified publisher icon josh-hemphill

TODOs: Features under consideration

Open josh-hemphill opened this issue 4 years ago • 3 comments

Nonce support

Unfortunately supporting nonces requires supporting SSR since a nonce has to be unique to each session, and it's on the implementer to create and manage sessions. This means creating an interface to much more efficiently identify where the nonces are needed and provide some sort of session information. The more I think about ways to implement it, the more complicated it becomes; this may be another feature that would need to be partially delegated to framework-specific plugins.

Early warning of disallowed source URLs

This seems pretty straight forward, and I plan to implement in the near future as this can be added without much reworking. It may add additional build time though as there are a greater variety of tags and attributes it would need to parse.

Parsing URLs and sources embedded in JS sources

This is a little more complicated since to understand what is embedded this might require framework specific plugins. I'm open to suggestions, but beyond providing a plugin interface, this might be beyond the scope of this package.

Other directives supporting hash and nonce values

The Mozilla docs aren't clear on how the nonce and hash source values relate to the other types of external resources like iframe, media, img, and workers, but it does list them, so I'll have to see what's going on with those.

Multiple hash algorithms per source

I plan on implementing this soontm. But it does require deviating from a configuration directly compatible with the csp-html-webpack-plugin which will take some more thought about what would be the most convenient way to implement it.

josh-hemphill avatar May 10 '21 17:05 josh-hemphill

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 07 '21 19:09 stale[bot]

I am the author of this plugin: https://github.com/melloware/csp-webpack-plugin

I took the original Slack plugin and added some more features Subresrouce Integrity and Trusted Types handling i thought you might be interested in adding those as well to this plugin.

Nice work I have been considering switching from CRA to Vite but not having a CSP plugin like mine was one of the things holding me up.

melloware avatar Jan 14 '23 17:01 melloware

In the webpack plugin we used a config like this:

{
  styleTagFactory({ style }) {
    return `<style type="text/css" nonce="{{nonce}}">${style}</style>`;
  },
}

For us, that is an easy way to get the nonce-support we require. Is something similar possible in this plugin?

ottopaulsen avatar Mar 20 '23 09:03 ottopaulsen